Microsoft Corp. (MSFT) issued a security advisory and threat database entry this week after a flaw was discovered that affected virtually every active version of Internet Explorer (IE), from IE6 to the latest and greatest IE 11.

The flaw won't work on many corporate distributions as since Windows Server 2003, a mode called "Enhanced Security Configuration" (ESC) has been included which sandboxes and restricts the privileges of the browser. ESC is the default in all modern versions of Windows Server (since WS 2003), so unless you explicitly turn off ESC you should be safe.

Those restrictions should eliminate the attack. However, those using a third-party client such as Mozilla's Thunderbird with IE set as the default browser are still at risk.

II. How it Works

The flaw involves so-called heap feng shui. The exploit is pretty sophisticated, involving loading allocating and corrupting objects for the third party Adobe Systems Inc. (ADBE) Flash plug-in via a Javascript (not to be confused with Oracle Corp.'s (ORCL) Java). The script loads the SWF Flash object and makes a call to it after some setup, the Flash object calls back to Javascript, and finally the Javascript corrupts the Flash object.

The exploit takes advantage of a flaw in IE's handling of Flash objects. [Image Source: Adobe]

Again, here we come into a limitation of the bug -- it only allows unprotected memory access within the logged in user's account. So unless a logged in administrator foolishly visits an attack page, the initial damage is limited. However, a savvy attacker could bide their time and test other potential exploits after gaining user access, eventually working their way to root.

In that regard, the attack can be viewed as IE -- and by proxy, the Flash Plug-in -- granting the attacker a foothold in the system.

Every modern version of IE for client computers is at risk from the serious flaw.

Microsoft says this foothold can be used for a number of ill-purposes including:

view data

changing data (memory injection)

deleting data

keylogging

installing malicious programs

creating accounts to give attacker full user rights

III. Who is at Risk

Despite the aforementioned limitations (no root, limited opportunities for attacking Windows Server), the attack is still quite dangerous for a few reasons.

First it's relatively rare to find a flaw that affects all versions of IE (but certainly not unprecedented). Such flaws -- even if weaker in practice -- are a major threat by merit of IE's market share alone, which is typically spread over several recent versions. Fire Eye estimates that over a quarter of Windows users browse using recent versions of IE and are vulnerable.

Second, the attack code does not need any sort of unusual offline tactics, so it's possible to host a webpage that performs the entire attack. This opens a wealth of possibilities for click-baiting in emails, luring users to innocent sound URLs that are really attack pages.

Attackers could use click-baiting to draw users to malicious webpages that exploit the flaw. [Image Source: iStock Photo]

As mentioned, many enterprise users may not be at risk on the server side, but on consumer and enterprise client side, it's a far different story. For those who use IE as their daily browser, you run a risk that any website you visit could exploit the flaw in the browser's security.

IV. Active Exploits Target U.S. Banks, Defense -- NSA? China?

Aside from the higher than normal threat level for the bug, another thing that makes this an attention-catching discovery is the fact that Fire Eye appears to have discovered the bug while probing an attack in the wild. It has uncovered a series of attacks that it dubs "Operation Clandestine Fox".

Fire Eye's Vitor De Souza describes the observed attacks in an interview with Reuters, stating:

It's a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors. It's unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.

Someone has been exploiting the IE flaw in the wild for the last year to target the U.S. banking and defense industry -- one prime suspect is China. [Image Source: DMM News]

At this point it is unclear who performed these attacks. China has long been accused of carrying out attacks on the U.S. financial and defense sectors. But the issue became muddled by recent disclosures of spying by the U.S. National Security Agency (NSA).

The details of the NSA's spying campaigns make it clear that determining the attacker is now a much harder matter, as the NSA often reportedly targets American businesses and citizens alike with attacks, which it claims protect national security. Some of these attacks are routed through servers housed in regions known for cyber-aggression such as China, raising the risk of false identification (likely the intention).

The NSA is another possible proprietor of the attack. [Image Source: Occupy]

Thus at this point the attacker in this campaign to exploit IE's Flash and scripting flaw appears to be highly sophisticated, pointing to a handful of the usual suspects -- the NSA, China, and Eastern European cybercriminals. Whoever's behind these attacks, though, Fire Eye says it believes they have been going on for about a year now.

V. Patching Outlook and How to Protect Yourself

Microsoft is working to patch the flaw in newer versions of Internet Explorer and Windows. But many users of Windows XP -- the most used operating system of last decade -- are in the dark after support to most SKUs of Windows XP ended earlier this month. Point-of-sale versions of Windows XP are being maintained, and Microsoft has pledged to offer proprietary fixes to a handful of large enterprise users willing to pay it a ransom for the ongoing support. However, for the majority of XP users -- including enterprise clients -- no fix is in sight.

The Windows OS maker's suggestion to customers at risk is to upgrade to a newer version of Windows such as Windows 7 or Windows 8.

Microsoft says the flaw -- which will not be patched on most Windows XP installations -- is one more reason to "turn off" Windows XP and upgrade.